[Owasp-turkey] Arızayı Bul #1

Bedirhan Urgun bedirhanurgun at gmail.com
Sat Oct 10 08:49:23 EDT 2009


merhaba,
Yazilim kaynakli guvenlik problemleri hepimizin malumu. Kod tabanli guvenlik
problemlerini bulup/tartisabilecegimiz mailler gonderecegim kisa
periyotlarla. Asagidaki Java parcasinda hangi guvenlik problemi(leri) var ve
nasil cozulur?

bedirhan

Arızayı Bul #1
--------------------

  private void doDownload( HttpServletRequest request, HttpServletResponse
response ) {
  try {

      // get the user
   HttpSession session = request.getSession();
   User user = (User) session.getAttribute(UserConst.userAttr);
   String filename = user.downloadDirPath + separator +
request.getParameter("filename");
   reportLog.writeln("Download Request User:" + user.userName + " FileName:"
+ filename);
   File f = new File(filename.trim());

   // get servlet output stream
      ServletOutputStream op = response.getOutputStream();

   response.setContentLength((int) f.length());
   response.setHeader("Content-Disposition", "attachment; filename=\"" +
request.getParameter("filename") + "\"");
   response.setHeader("Content-Type", "application/octet-stream");
   byte[] bbuf = new byte[255];
   DataInputStream in = new DataInputStream(new FileInputStream(f));

      int length = 0;
   while( (in != null) && ((length = in.read(bbuf)) != -1) )
    op.write(bbuf, 0, length);
   in.close();
   op.flush();
   op.close();

      reportLog.writeln("Download Response User:" + user.userName + "
FileName:" + filename + " Success ");
  }
    catch( Exception e ) {
   SendException(e, request, response);
  }
 }
-------------- sonraki bölüm --------------
Bir HTML eklentisi temizlendi...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20091010/f402c2bc/attachment.html 


More information about the Owasp-turkey mailing list